Not all exploits are created equal

Vulnerabilities and Patching

Patching vulnerabilities is something everyone with a technology footprint deals with on one level or another whether they realize it or not. Consumers patch vulnerabilities all the time even if they don’t realize that’s what they are doing. Updating a phone to the latest version of Android or iOS, for instance, often includes fixes for some underlying vulnerabilities. Choosing to restart a smart TV or an Amazon FireTV to apply updates may also be applying patches to security vulnerabilities.

In the world of operating systems and enterprise software, patching vulnerabilities is a regular occurrence. At least it should be. Microsoft regularly offers updates that fix a variety of security related and non-security related bugs in their software. Oracle, Adobe, and other software companies also provide regular patches which commonly include fixes for security problems in their software. An entire industry of products has risen up to help enterprises probe for and track patch levels in software. Applying these patches is often disruptive to businesses, however, as system reboots are often required and sometimes patches break software that relies on the affected components. In order to maintain smooth business operation, proper testing must take place before applying the patches to critical systems. This problem in enterprises often leads to delays in getting patches deployed in a timely manner – if they get deployed at all.

Finding Vulnerabilities

Software and hardware creators learn about vulnerabilities in their systems via a variety of methods. Here are some common ways vulnerabilities are found:

Internal testing

Automating testing and applications that review source code provide feedback during development allowing fixes to vulnerabilities before products are even released. This is often performed as part of development using the Systems Development Lifecycle (SDLC) or Security Development Lifecycle (SDL) but may be done ad hoc during development as well. Techniques such as fuzzing may be employed to automate the search for vulnerabilities by rapidly throwing garbage into fields, open networking ports, or other pieces of the system and observing the response.

Independent Researchers

Sometimes researchers who specialize in finding vulnerabilities will discover an unpublished vulnerability in a piece of software or hardware. It is generally up to the researcher what they do with this knowledge. The accepted process is to reach out to the creator of the software or hardware and give them the details about the vulnerability, and allow them time to provide a fix for it before making any of the details public. Not all researchers follow this best practice however, and sometimes vulnerabilities are disclosed before a fix has been made available. This often happens when the researcher feels the creator has taken too long to provide a fix so they go ahead and publish the details. Other researchers may try to sell their vulnerabilities in the form of exploits in the criminal underground where it may become used to aid malware infections or aid the compromise of specific, high-value targets.

Bug Bounties

Organizations can create bug bounty programs which offer rewards for validated vulnerabilities found in their systems. The rewards can vary depending on the criticality or relative value of the vulnerability found. These programs are meant to entice researchers into looking for vulnerabilities in the organization’s systems and offer an alternative to selling them in the underground.

Vulnerabilities Found in the Wild

Sometimes, either as a result of post-incident forensic examinations or through investigations into malware activity, a new vulnerability is discovered that is being actively exploited. Normally when this happens, the activity is investigated and the underlying vulnerability is addressed through a patch or other mitigation through a regular patch release cycle or a special “out-of-band” patch release to get the fix out more quickly than waiting for the next scheduled patch release.

Enter the Exploit

Vulnerabilities are essentially academic in nature. They exist as software is written and are either discovered via one manner or another or they are not. Sometimes the discovery of lurking vulnerabilities can take place many years after the code producing the vulnerability was written. It’s not until someone produces a working exploit for the vulnerability that it truly gains usefulness for malicious behavior.

Exploits are bits of code that are designed to take advantage of a specific vulnerability. Depending on the vulnerability being leveraged, exploits can result in an escalation of privilege, the ability to run malicious code without user input, or to cause the software to hang or crash producing a denial of service amongst other results.

Not all exploits are created equal, however. Some work against default installations of software; some require very specific sets of criteria to be met. Examples include:

A specific flavor of operating system or version of software installed

A specific piece of software installed that must be running at the time of exploitation

Non-default services that must be running in order to be exploited

Certain non-default features enabled or a specific configuration in place

Sometimes, it takes stringing a number of exploits together to achieve the desired result. For example, in the recent Pwn2Own competition for 2017, researchers were attempting to escape from or “break out” of a virtual machine into the host operating system. To do this, they used three separate exploits against different software components in order to achieve the escape.

Not all vulnerabilities make for good exploits. In order for some vulnerabilities to be taken advantage of, very specific conditions must exist. It’s common for exploits to deliberately create the conditions necessary to reliably take advantage of a particular vulnerability. This isn’t always easy or possible, though. Some exploits may only end up successful a small percentage of times they are attempted. Sometimes, reliable exploitation of a specific vulnerability isn’t possible due to unfavorable or uncontrollable conditions. The vulnerability exists, there just isn’t a good way to take advantage of it.

The best exploits are those that can be reliably executed every time, require no user interaction, affect a large population of systems, and allow for remote code execution (RCE – the ability to force arbitrary code to run from a remote system). These are the “crown jewels” of the exploitation world and are fortunately fairly rare. Exploits that meet these criteria can be turned into worms, self-replicating and self-executing viruses. Conficker and WanaCry are examples of worms that leverage unpatched vulnerabilities to execute and spread.

Tavis Ormandy

While there are a great many talented vulnerability researchers, Tavis Ormandy has proven to be particularly skilled at finding viable exploits in software products. He has found bugs in a variety of security products from companies such as Sophos, Symantec, FireEye, TrendMicro, and Cloudflare. He has also found several bugs in Microsoft software as well. Many of his findings end up being critical in nature.

Earlier this year, Tavis tweeted that he and a fellow researcher had found “the worst remote code exec in recent memory”.

Turns out, he had found a nasty bug in Windows Defender, the built-in antivirus software on Microsoft Windows. Tavis noted that this vulnerability would work against a default install of Windows, it’s not necessary to be on the same Local Area Network, and that it’s wormable. It affected almost all recent versions of Windows (Windows 7, 8, 8.1, 10, and Server 2016).

Microsoft responded very quickly by releasing a patch only a few days later and acknowledged Tavis and his co-researcher, Natalie Silvanovich, for their work in discovering the vulnerability and notifying Microsoft of the details. Fortunately, Windows Defender attempts to update itself every 48 hours so most affected systems were likely fixed within days of the release of the patch. Potential crises averted. In this case, the fact that Tavis discovered and reported this potentially nasty bug means we may have been spared the spread of a nasty worm at some point in the future should someone else have discovered this vulnerability instead of Tavis.

MS17-010

On March 14, 2017, just a few days after the patch for Windows Defender was released, Microsoft released its usual list of monthly patch updates. Among those updates was MS17-010, a patch for a vulnerability in Microsoft’s Server Message Block (SMB) protocol. The vulnerability is specific to SMBv1. Systems running SMBv2 and SMBv3 can be asked to downgrade to SMBv1 as part of standard communication so most systems running SMB at all would be affected unless SMBv1 was specifically disabled (it is enabled by default for all versions of Windows). Unlike other security fixes included in the patches released that day, no acknowledgements of who reported the vulnerability were included for MS17-010. It is currently unknown how Microsoft learned of this vulnerability.

The Shadow Brokers & The Equation Group

A group called The Shadow Brokers appeared in August of 2016 claiming to have a trove of cyber weapons (exploits and other tools) from an organization called, the Equation Group. They released an encrypted archive supposedly containing nation-state level cyber attack tools and were attempting to auction the password to the archive. The Equation Group is a name given by Kaspersky researchers to the group behind several sophisticated hacking tools like Stuxnet, Flame, and Duqu.

After failing to retrieve the amount they were seeking to auction off the archive, they eventually released the password in a post on Medium on April 9, 2017. Ultimately, they only collected about 10.5 bitcoin (roughly $24k USD) but had been looking for 10,000 bitcoin (worth about $22.4 Million USD as of this writing). The bitcoin collected finally began moving around on May 29, 2017, perhaps in an attempt to cash it in.

The archive, it turned out, wasn’t that interesting. Most of the included exploits were patched quite a while back making them far less useful than they could have been.

Just days later, on April 14, 2017, The Shadow Brokers released another encrypted archive along with the associated password containing much more damaging contents. This release contained more recent exploits and an attack framework tool.

ETERNALBLUE & WanaCry

ETERNALBLUE was the name of one of the exploits released by The Shadow Brokers on April 14, 2017. This exploit took advantage of the SMB vulnerability (MS17-010) patched exactly one month prior on March 14, 2017. The exploit code in ETERNALBLUE turned out to be very reliable and takes advantage of a vulnerability that exists in a wide install base allowing for remote code execution. On top of all this, the prevalence of unpatched Windows systems (including old versions of Windows XP) in places like Russia, China, and parts of Eastern Europe made the perfect kindling for the fire that would be the WanaCry ransomware worm.

Here was the perfect combination of a recently patched vulnerability with a wide supply of vulnerable systems, working exploit code, and software designed to replicate itself and encrypt exposed files. There were many vulnerable systems connected to the Internet without blocking communication for SMB as well which helped accelerate the spread of the worm.

Concluding Thoughts

On December 14, 2016, The Shadow Brokers advertised the sale of a pack of tools for sale for 750 bitcoin including mention of an SMB zero-day exploit (an exploit which has no patch available). The SMB exploit was available separately for 250 bitcoin. This prompted US-CERT to release guidance on SMB best practices on January 19, 2017. The recommendations included disabling SMBv1 and ensuring SMB-related network ports were blocked at perimeter firewalls.

While it doesn’t appear that ETERNALBLUE was mentioned in The Shadow Brokers communication in its December posts, ETERNALROMANCE was shown in a screenshot on The Shadow Brokers Twitter feed. ETERNALROMANCE was also an SMB vulnerability that was addressed in the MS17-010 patch from Microsoft. It may be that someone in the US government familiar with the tools tipped-off Microsoft regarding these exploits so they could be patched.

Once this “crown jewel” of The Shadow Brokers pack of tools was blown due to the Microsoft patch, it could be that they decided to simply release it for free along with the other stuff they were trying to sell. After failing to sell them in an auction, failing to sell them via crowdfunding, and the appeal for direct sale also failed, it could be they chose to release the tools and exploits for free due to lack of ability to monetize them.

The Shadow Brokers, apparently still trying to find avenues for monetization, are now advertising a Monthly Data Dump which, as they mention, could contain anything from newer exploits against Windows 10 to secret data from various nation states. It’s hard to say what they actually have. They aren’t specific this time around regarding what they are trying to sell. It has been suggested that their Equation Group tools came from a compromised NSA staging server back in 2013. If so, they may not have much left to release from that compromise. Regardless, given the group’s history it’s fair to suggest that they continue to be monitored for further developments.

As for exploits, it’s important to understand the details behind them and which ones are particularly dangerous. The last two significant exploits that have led to successful Internet worms, MS08-067 (Conficker) and MS17-010 (WanaCry) were discovered as a result of the release of nation-state level attack tools (Stuxnet and ETERNALBLUE respectively). Staying informed is the key to staying out of the headlines. Organizations that followed US-CERT’s guidance back in January likely did not have significant issues with WanaCry. Organizations that recognized the significance of a vulnerability leading to remote code execution in the SMB protocol likely patched MS17-010 as quick as they could. If only the rest of the world paid as close attention, May 12, 2017 would have been just another day.

Source: Honeypot Tech

http://firedot.nl/wp-content/uploads/2017/05/tavis-ormandy-twitter-1.png7521292Fireboss7102http://firedot.nl/wp-content/uploads/2017/08/logo-firedot-zologic-300x113.pngFireboss71022017-05-31 14:01:002017-05-31 14:01:00The Power of an Exploit

If you’re wondering what it takes to win an ice cold pint at one of our Race to Biella events, this clip will give you more of an idea. It’s no mean feat!! Do you think you have the pedal power? Join us tonight at The Avonbridge Hotel for sunshine, cycling and, of course, a refreshing pint or two.

Glasgow-based creative content agency Bright Signals were contacted by Wire with a brief for a pretty tasty project: create something for Menabrea that ties in with the Giro d’Italia cycle race passing close to the brewery in Biella, Northern Italy.

Cycle race, was it? Menabrea brewery, you say?

The team at Bright Signals came up with the superb idea of a bicycle-powered Menabrea beer dispenser.

It must be noted that when I said the words ‘bicycle-powered beer dispenser’ aloud in the Raspberry Pi office, many heads turned and Director of Software Engineering Gordon Hollingworth dropped everything he was doing in order to learn more.

The final build took a fortnight to pull together, with Bright Signals working on the Raspberry Pi-controlled machine and Wire in charge of its graphic design.

Reuse, reduce, return to the bar

“This was probably one of the most enjoyable builds I’ve worked on,” says Bright Signal’s Deputy Managing Director, Grant Gibson. “We had a really clear idea of what we were doing from the start, and we managed to reuse loads of parts from the donor bicycle as we simplified the bike and built the pouring system.” The team integrated the bottle cage of the donor bike into the main dispensing mechanism, and the bike’s brake levers now cradle a pint glass at the perfect angle for pouring.

A Raspberry Pi powers the 24″ screen atop the beer dispenser, as well as the buttons, pouring motors, and lights.

Giro di Scozia

Fancy trying Menabrea’s bicycle-powered beer dispenser for yourself? The final stop of its 4-week tour will be the Beer Cafe in Glasgow this Friday 2nd June. If you make it to the event, be sure to share your photos and video with us in the comments below, or via our social media channels such as Twitter, Facebook, and Instagram. And if you end up building your own beer-dispensing cycle, definitely write up a tutorial for the project! We know at least one person who is keenly interested…

The need to be “connected” at all times and have a “smarter” home is putting a huge stress on our home networks. Think about the typical house today, which has 10 or more connected devices such as tablets, laptops, smartphones, gaming systems, appliances and so on. Forecasts expect this number to grow over the next few years with 35 to 50 or more connected devices in the average home.

Today’s home network infrastructure is struggling to keep pace with the increasing demands for bandwidth. To create the best possible experience for consumers, we must deliver faster broadband connections along with more consistent connectivity that extends to all corners of the home.

Faster Broadband Access

Networks need to be faster, smarter and flexible enough to be upgraded without disrupting existing infrastructure. This is why we are expanding the Intel AnyWAN product family with a new G.fast solution. The Intel AnyWAN SoCs, in combination with the new Intel AnyWAN transceiver VRX618, will give telco service providers the ability to harness the speed of the new G.fast standard to bring gigabit access to the home while still maintaining backward compatibility with legacy copper access technologies for smooth migration.

Home Connectivity Hubs

Once we have faster connectivity to the home, the goal is to carry that connectivity to the various devices within the home, with gateways serving as a “hub” or controller. I’m excited about the number of leading OEMs and service providers who are introducing new gateways and routers, including ASUS, Deutsche Telekom, Netgear and Phicomm. These new gateways are using Intel’s unique Wi-Fi offering that allows up to 128 clients — seriously, up to 128 clients — to share the same bandwidth simultaneously and still maintain high-speed connections. As a result, they can scale to accommodate the growing number of connected devices we are bringing into our homes.

For cable networks, we have been investing and leading innovations for many years, including a leading role in the specification and development of the DOCSIS 3.1 standard and, now, Full Duplex DOCSIS. This week during ANGA COM, we showcased with Cisco the first live industry demonstration of Full Duplex DOCSIS 3.1, from cloud to client. Full Duplex DOCSIS 3.1 enables cable providers to offer higher speed connections at lower capex and also faster time to market of more sophisticated services and applications to their customers.

Whole Home Coverage

The challenge with many of today’s home networks is that using a singular connectivity hub doesn’t always provide consistent, reliable connectivity to every corner of a home. As you have probably seen in your own house, Wi-Fi throughput degrades as a connected device gets farther away from that central home gateway. Even with repeaters and extenders, the increased pressure on the infrastructure from more devices and connected activities results in inefficiencies and inconsistent throughput.

To address this challenge, Intel is introducing the Intel Home Wi-Fi Development Kit. Our partners can use this to develop a dynamic, adaptable network of gateways and intelligent range extenders. In addition to providing “coverage,” this type of intelligent network anticipates and adjusts dynamically, ensuring that consistent connectivity is delivered to each client device, regardless of the number of devices or bandwidth demands.

Connectivity is the electricity of the domestic revolution, and it needs to be just as reliable as any utility service in a home. As we embark on our path to a well-connected home, we can start to deliver on the promise of a truly smart home.

Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Threats

This section provides summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.

Most Chipotle Restaurants Hacked With Credit Card Stealing Malware (May 28, 2017)
Chipotle restaurants has released additional information concerning a malware infection that has affected “most, but not all restaurants.” The restaurant first confirmed the incident on April 25, 2017, and has now reported that the breaches took place between March 24 and April 18. The malware was designed to steal track data from the magnetic strip on credit cards by infecting Chipotle cash registers. At the time of this writing, it is unknown how many people may have had their credit card data stolen.Recommendation: Point-of-Sale (POS) Security relies on the same type of preventative measures as all others, because they are a unique type of computer. In the case of a confirmed infection, the POS must be taken offline until it can be completely wiped and restored to its original factory settings. An audit of the transactions performed on the POS should occur along with a formal incident response investigation.Tags: Breach, Credit card theft

RoughTed: The Anti Ad-Blocker Malvertiser (May 25, 2017)
Malwarebytes researchers have published their findings regarding a large-scale malvertising campaign dubbed “RoughTed” that has been active for at least one year. The actors behind this campaign tailor fingerprinting techniques to bypass ad-blockers. The malicious advertisements direct users to domains that host exploit kits that tailor the malicious payloads. The payloads vary depending on the geolocation, operating system, and web browser of the visiting machine.Recommendation: Malvertising and exploit kits in general are being developed and improved constantly by cybercriminals, so keeping software updated with the latest security patches is critical for users and enterprises. This includes both the operating system and all applications being used. Make sure there is a security system in place that can proactively provide a comprehensive defense against attackers targeting new vulnerabilities.Tags: Malvertising

Malspam Pushing Jaff Ransomware (May 24, 2017)
A new malspam campaign has been discovered to be distributing Jaff ransomware via malicious PDF attachments. The PDF attachments have embedded Word documents that will infect the machine if macros are enabled. As of this writing, the malware demands 0.33359562 Bitcoins ($896.19 USD) for the decryption key.Recommendation: All employees should be educated on the risks of malspam, and how to identify such attempts. Poor grammar and urgent content are often indicators of these type of attacks. Additionally, messages that request a recipient to open a file attachment should also be avoidedTags: Ransomware, Malspam

7-Year-Old Samba Flaw Lets Hackers Access Thousands of Linux PCs Remotely (May 24, 2017)
A remote code execution vulnerability, registered as CVE-2017-7494, has been discovered in all versions after 3.5.0 the open source networking software, Samba. Samba uses Server Message Block (SMB) protocol that allows operating systems like Linux, or macOS to share network shared files, folders, and printers with Windows operating systems. Researchers used the Shodan search engine and discovered that, as of this writing, approximately 485,000 computers are using Samba, and 104,000 machines are running vulnerable versions.Recommendation: Threat actors are often observed to use vulnerabilities even after they have been patched by the affected company. Therefore, it is crucial that policies are in place to ensure that all employees install patches as soon as they are made available.Tags: Vulnerability

Qatar Begins Probe After State News Agency Hacked (May 24, 2017)
The Qatar Communications Office has stated that the Qatar News Agency (QNA) website and Twitter account were compromised by unknown actors. The cybercriminals then posted content on the QNA website pretending to come from the country’s foreign minister, Mohammed bin Abdulrahman Al-Thani. The foreign minister’s purported content discussed the Palestinian-Israeli conflict, Palestinian Islamist movement Hamas, and strategic relations with Iran. Social media platforms subsequently erupted in Gulf countries as users insulted and accused each other of wrongdoings. This incident occurred as U.S. President Trump was traveling in Middle Eastern countries.Recommendation: This story represents potential threats and attacks that can arise based on current political geopolitical developments. Therefore, awareness of tension between countries and governments can potentially grant some insight as to where attacks may originate. It is crucial that server software be kept up-to-date with the most current versions and that all external facing assets are carefully monitored and scanned for unusual activity and vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.Tags: Compromised website, Geopolitical

Threat Spotlight: The Return of Qakbot Malware (May 23, 2017)
The information stealing malware called “Qakbot” (Qbot) has been observed to be increasing its infection efforts, according to Cylance researchers. The researchers note that, as of this writing, it is unknown what is causing the increased infections, although it may be possible that the actors behind Qakbot are using different exploit kits for propagation. The polymorphic features have assisted the malware in remaining active since at least 2009.Recommendation: Always keep your browser and operating system up to date, including any browser add-ons you may need (Flash, Java). Employ network as well as host based detection and prevention systems where possible. In the case of Qakbot infection, the affected system must be wiped and reformatted, and other devices on the network should be checked for similar infections.Tags: Malware, Exploit Kits

Jaff Ransomware Gets a Makeover (May 23, 2017)
Security researcher Brad Duncan has discovered that the “Jaff” ransomware, first discovered in early May 2017, has been updated. This new variant has an updated decoy document that is being distributed via the Necurs botnet and is using the .wlu file extensions for encrypted files. The Jaff malspam campaign is using PDF attachments with embedded Word documents that pose as an invoice, and request that macros be enabled to properly view the document. If done, the ransomware will encrypt and append .wlu to files. The cybercriminals request approximately 0.356 Bitcoins ($837 USD) for the decryption key.Recommendation: Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders. Additionally, it is important to have a comprehensive and tested backup solution in place for the unfortunate case of ransomware infection.Tags: Ransomware, Malspam

Russia Dismantles Major Cybercrime Operation Targeting Bank Accounts via Android Malware (May 23, 2017)
The Russian Interior Ministry has announced that it has identified 20 suspects believed to be associated with the threat group behind the Android banking trojan called “Cron.” Russian authorities apprehended 16 members in November 2016, and another member in April 2017. The Cron malware dates back to at least 2015, and could be leased by cybercriminals on underground markets. Researchers believe that the malware has stolen approximately $900,000 USD.Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores.Tags: Cybercrime

Tax Worker Fired After Biggest Privacy Breach at Revenue Canada (May 22, 2017)
An employee at the Canada Revenue Agency (CRA) has been fired for unauthorized access of approximately 1,264 CRA accounts. The CRA stated that they discovered that this incident had occurred after an investigation was launched on March 23, 2016, but they are just now releasing information about the breach. Data associated with the accounts consisted of contact information, employment information, full name, income and deductions, and social insurance number.Recommendation: Policies should be in place regarding employee account privileges in order to limit access to data. Additionally, guidelines should also be in place that educate employees who do have access to sensitive information on how to properly access and handle the data.Tags: Breach

Be Aware: WannaCry Ransomware Outbreak Used by Phishing Attacks (May 22, 2017)
Researchers have discovered a new phishing campaign that purports to be a “security upgrade” from the U.K. telecommunications provider, British Telecommunications (BT). The email claims that due to recent “security breaches on an international scale” BT is launching preventative measures via a security update. The email provides a link that directs a recipient to a fake website that will steal BT credentials.Recommendation: It is important that your company institute policies to educate your employees on phishing attacks. Specifically, how to identify such attacks and whom to contact if a phishing email is identified.Tags: Ransomware, Phishing

New XData Ransomware Spreads Faster Than WannaCry (May 22, 2017)
A new ransomware campaign has been identified to be targeting businesses and individuals in Ukraine at a s significant pace, according to the security researcher MalwareHunter. The ransomware is called “XData” and, as of this writing, has infected four times as many victims than an entire week of the global WannaCry ransomware campaign.Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. If a reproducible backup is not available, there may a decryptor available that can assist in retrieving encrypted files. Additionally, educate your employees about the dangers of downloading applications when they are not offered from the website of the official provider/developer.Tags: Ransomware

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

RIG exploit kit Tool Tip
The RIG exploit kit is a framework used to exploit client side vulnerabilities in web browsers. The RIG exploit kit takes advantage of vulnerabilities in Internet Explorer, Adobe flash, Java and Microsoft Silverlight. The RIG exploit kit was first observed in early 2014. The RIG exploit kit’s objective is to upload malicious code to the target system. The RIG exploit kit is known to distribute ransomware, spambots and backdoors. Victims are redirected to the RIG exploit kit with a landing page coming from malvertising or compromised sites.Tags: RIG, exploitkit

Looking to share your day, event, or the observations of your nature box live on the internet via a Raspberry Pi? Then look no further, for Alex Ellis has all you need to get started with YouTube live-streaming from your Pi.

The YouTube live dashboard. Image c/o Alex Ellis

If you spend any time on social media, be it Facebook, Instagram, YouTube, or Twitter, chances are you’ve been notified of someone ‘going live’.

Live-streaming video on social platforms has become almost ubiquitous, whether it’s content by brands, celebrities, or your cousin or nan – everyone is doing it.

Carrie Anne and Alex offer up a quick tour of the Pi Towers lobby while trying to figure out how Facebook Live video works.

YouTube live-streaming with Alex Ellis and Docker

In his tutorial, Alex demonstrates an easy, straightforward approach to live-streaming via a Raspberry Pi with the help of a Docker image of FFmpeg he has built. He says that with the image, instead of “having to go through lots of manual steps, we can type in a handful of commands and get started immediately.”

Why is the Docker image so helpful?

As Alex explains on his blog, if you want to manually configure your Raspberry Pi Zero for YouTube live-streaming, you need to dedicate more than a few hours of your day.

Normally this would have involved typing in many manual CLI commands and waiting up to 9 hours for some video encoding software (ffmpeg) to compile itself.

Get anything wrong (like Alex did the first time) and you have to face another nine hours of compilation time before you’re ready to start streaming – not ideal if your project is time-sensitive.

See you in 8-12 hours? Building ffmpeg on a my @Raspberry_Pi #pizero with @docker

Using the Docker image

In his tutorial, Alex uses a Raspberry Pi Zero and advises that the project will work with either Raspbian Jessie Lite or PIXEL. Once you’ve installed Docker, you can pull the FFmpeg image he has created directly to your Pi from the Docker Hub. (We advise that while doing so, you should feel grateful to Alex for making the image available and saving you so much time.)

It goes without saying that you’ll need a YouTube account in order to live-stream to YouTube; go to the YouTube live streaming dashboard to obtain a streaming key.

Get live streaming to @YouTube with this new weekend project and guide using your @Raspberry_Pi and @docker. https://t.co/soqZ9D9jbS

For a comprehensive breakdown of how to stream to YouTube via a Raspberry Pi, head to Alex’s blog. You’ll also find plenty of other Raspberry Pi projects there to try out.

Why live-stream from a Raspberry Pi?

We see more and more of our community members build Raspberry Pi projects that involve video capture. The minute dimensions of the Raspberry Pi Zero and Zero W make them ideal for fitting into robots, nature boxes, dash cams, and more. What better way to get people excited about your video than to share it with them live?

If you have used a Raspberry Pi to capture or stream footage, make sure to link to your project in the comments below. And if you give Alex’s Docker image a go, do let us know how you get on.

If there’s one thing we like more than a project video, it’s a project video that has style. And that’s exactly what we got for the Fleischer 100, a Raspberry Pi-powered cartoon sound effects typewriter created by James McCullen.

The goal of this practical project was to design and make a hardware device that could play numerous sound effects by pressing buttons and tweaking knobs and dials. Taking inspiration from old cartoons of the 1930s in particular – the sound effects would be in the form of mostly conventional musical instruments that were often used to create sound effects in this period of animation history.

The golden age of Foley

Long before the days of the drag-and-drop sound effects of modern video editing software, there were Foley artists. These artists would create sound effects for cartoons, films, and even live performances, often using everyday objects. Here are Orson Welles and the King of Cool himself, Dean Martin, with a demonstration:

The Fleischer 100

“The goal of this practical project was to design and make a hardware device that could be used to play numerous sound effects by pressing buttons and tweaking knobs and dials,” James says, and explains that he has been “taking inspiration from old cartoons of the 1930s in particular”.

Images on the buttons complete the ‘classic cartoon era’ look

With the Fleischer 100, James has captured that era’s look and feel. Having recorded the majority of the sound effects using a Rode NT2-A microphone, he copied the sound files to a Raspberry Pi. The physical computing side of building the typewriter involved connecting the Pi to multiple buttons and switches via a breadboard. The buttons are used to play back the files, and both a toggle and a rotary switch control access to the sound effects – there are one hundred in total! James also made the costumized housing to achieve an appearance in line with the period of early cartoon animation.

Turning the typewriter roller selects a new collection of sound effects

Regarding the design of his device, James was particularly inspired by the typewriter in the 1930s Looney Tunes short Hold Anything – and to our delight, he decided to style the final project video to match its look.

This past weekend, while I was attending one of the world’s biggest auto racing events in my hometown of Indianapolis, I couldn’t help but think about the similarities between the race and what I do at Intel. When cars are flying around the track, speed and reliability are absolutely critical. But what sets the winning drivers and teams apart is their intense dedication to continuous improvement that leads to better, more efficient ways of doing things, whether it’s faster pit stops or innovating next-gen technology. And I feel like we at Intel are achieving just that for cable broadband.

Nielsen’s Law of Internet Bandwidth states that users’ bandwidth increases 50 percent each year, and, as a result, consumers are seeing continuous improvements in cable bandwidth. These faster speeds support the many smart, connected devices we now have in our homes and enable higher-quality connected experiences — from virtual reality to immersive PC gaming to 4K streaming and more. In fact, the number of connected devices per home is expected to grow to more than 35 by the year 2020. While this is exciting for consumers, it raises several questions for our industry: What does this mean for network infrastructure? And how do we expand its capacity to accommodate increased demand, without disrupting service, yet still provide great experiences?

The current generation of Ultra DOCSIS 3.0 solutions (such as those based on the Intel Puma 6 SoC) ushered in the first generation of 1 Gbps hybrid fiber-coaxial (HFC) cable networks. The most recent DOCSIS technology (DOCSIS 3.1), developed by Intel in collaboration with its partners, paves the way to multigigabit speeds, meaning it can compete with fiber alternatives. Full Duplex DOCSIS 3.1 (FDX) is the next step in evolutionary technology advancement that enables simultaneous gigabit upstream and multigigabit downstream, all over the same frequency spectrum.

Ready for prime time

Although not a new idea, full-duplex communication (the transmission and reception of signals at the same frequency at the same time) is a hot topic because of advances in signal processing that now allow actual commercial deployment of Full Duplex DOCSIS networks.

Intel and Cisco gave the industry its first live demonstration of Full Duplex DOCSIS, from cloud to client, at ANGA COM 2017. The specification, which Intel has played a leading role in developing, showed conference attendees how it enables service providers to offer higher speed symmetrical bandwidth. This creates the best experience possible for customers while lowering the total cost of ownership.

Exceeding expectations with technology

Since their first generation, Intel Puma SoCs have delivered DOCSIS technology that drives the advancement of Nielsen’s Law with lower cost compared to new fiber construction costs. Our next generation of Intel Puma SoCs will do the same, and Intel’s Full Duplex DOCSIS innovations will enable cable providers to deliver multigigabit speeds to tens of millions of homes across the country.

And the push for innovation doesn’t stop there. Intel is also investing in transforming networks as described recently by Dan Rodriguez, Intel VP of communications infrastructure, in a blog post about how network function virtualization (NFV), including cable access network workloads, will run on virtual machines.

We will continue to support cable operators with faster speeds and cost-effective solutions to roll out multigigabit symmetrical services through the latest Intel innovations: Intel Puma SoCs, FPGAs and Intel Xeon processors. With Full Duplex DOCSIS, the future is symmetrical and full of new, smart and connected experiences.

We’ve got some great news to share today: the Raspberry Pi Foundation is joining forces with the CoderDojo Foundation, in a merger that will give many more young people all over the world new opportunities to learn how to be creative with technology.

CoderDojo is a global network of coding clubs for kids from seven to 17. The first CoderDojo took place in July 2011 when James Whelton and Bill Liao decided to share their passion for computing by setting up a club at the National Software Centre in Cork. The idea was simple: provide a safe and social place for young people to acquire programming skills, learning from each other and supported by mentors.

Since then, James and Bill have helped turn that idea into a movement that reaches across the whole world, with over 1,250 CoderDojos in 69 countries, regularly attended by over 35,000 young Ninjas.

Raspberry Pi and CoderDojo have each accomplished amazing things over the last six years. Now, we see an opportunity to do even more by joining forces. Bringing together Raspberry Pi, Code Club, and CoderDojo will create the largest global effort to get young people involved in computing and digital making. We have set ourselves an ambitious goal: to quadruple the number of CoderDojos worldwide, to 5,000, by the end of 2020.

The enormous impact that CoderDojo has had so far is down to the CoderDojo Foundation team, and to the community of volunteers, businesses, and foundations who have contributed expertise, time, venues, and financial resources. We want to deepen those relationships and grow that community as we bring CoderDojo to more young people in future.

The CoderDojo Foundation will continue as an independent charity, based in Ireland. Nothing about CoderDojo’s brand or ethos is changing as a result of this merger. CoderDojos will continue to be platform-neutral, using whatever kit they need to help young people learn.

In technical terms, the Raspberry Pi Foundation is becoming a corporate member of the CoderDojo Foundation (which is a bit like being a shareholder, but without any financial interest). I will also join the board of the CoderDojo Foundation as a director. The merger is subject to approval by Irish regulators.

How will this work in practice? The two organisations will work together to advance our shared goals, using our respective assets and capabilities to get many more adults and young people involved in the CoderDojo movement. The Raspberry Pi Foundation will also provide practical, financial, and back-office support to the CoderDojo Foundation.

Last June, I attended the CoderDojo Coolest Projects event in Dublin, and was blown away by the amazing projects made by CoderDojo Ninjas from all over the world. From eight-year-olds who had written their first programs in Scratch to the teenagers who built a Raspberry Pi-powered hovercraft, it was clear that CoderDojo is already making a huge difference.

I am thrilled that we’re going to be working closely with the brilliant CoderDojo team, and I can’t wait to visit Coolest Projects again next month to meet all of the Ninjas and mentors who make CoderDojo possible.

If you want to find out more about CoderDojo and how you can get involved in helping the movement grow, go here.

Firedot Highlight Reports

Getting threat intelligence into your existing security products – SIEMs, endpoints, network tools — can significantly enhance their effectiveness. Here at Anomali we understand the value of product integrations, so much so that my entire job is to manage the 30+ we currently offer. Recently we launched a feature that allows you to create your own threat […]

The intelligence in this week’s iteration discuss the following threats: Compromised server, Cryptocurrency miner, Data theft, Malspam, Phishing, Targeted attacks, Underground markets, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity. Trending Threats Olympic Destroyer Takes Aim At Winter […]

In our last post, we talked about how companies can use the concept of a No-Fly list to keep malicious actors out of their networks. So how does a cyber No-Fly list work in a real situation? We spoke with one of our customers, Alaska Airlines, about how they make the most of threat intelligence […]

My name is Teddy Powers. I have worked for Anomali (formerly ThreatStream) for almost the last three years and it’s been one of the best experiences of my life. But if you looked at my résumé or LinkedIn, much like anyone else, you’d do a double take. How in the world did he score a […]

North Korea, or more formally, the Democratic People’s Republic of North Korea (DPRK), is no stranger to international headlines. Most notably, it has captured attention in recent years for its nuclear testing and ballistic missile launches. Events in the cyber landscape have brought negative attention to North Korea as well. The United States officially blamed […]